Module 5 - Risk Management

Question 1

Risk Management

Answer 1

Risk management identifies risks and vulnerabilities that pose a threat and applies administrative actions and comprehensive solutions to make sure the organisation is adequately protected.

Question 2

Risk

Answer 2

Risk is the probability of loss due to a threat — a malicious act or unexpected event — that damages information systems or organisational assets.

Question 3

Risk Impact

Answer 3

Risk impact is the damage incurred by an event which causes loss of asset(s) or disruption of service(s). The goal of risk management is to reduce these threats to an acceptable level and to implement controls to maintain that level.

Question 4

High risk

Answer 4

Negligence means that no actions or controls are taken to lower risk. The threat is very high, and the cost of an incident could be catastrophic.

Question 5

Lower Risk

Answer 5

Exercising due care can help lower the level of risk. The risk still exists but these reasonable steps lower a potential loss.

Question 6

Acceptable Risk

Answer 6

Exercising due diligence involves taking reasonable steps to eliminate risk. Some risks still exist, but multiple controls are implemented to prevent potential loss.

Question 7

Risk Management options

Answer 7

• Avoidance (Elimination)
• Mitigation (Reduction)
• Transfer
• Accept

Question 8

Negligence

Answer 8

Negligence is a legal concept that refers to the failure to exercise reasonable care or the failure to take appropriate precautions, resulting in harm or damage to others. It can occur when an individual or entity, such as an organisation, does not meet the standard of care expected in a given situation, leading to potential legal liability.

Question 9

Due Care

Answer 9

Due care refers to the degree of care and attention that a reasonable and prudent person or organisation would exercise in similar circumstances to prevent harm or minimize risk.

Question 10

Due Diligence

Answer 10

Due diligence is a more extensive and comprehensive investigation or research process undertaken to gather all relevant information and facts before making a decision or taking action.

Question 11

Assets

Answer 11

Assets are anything of value that is used in and is necessary for the completion of a business task. Assets include both tangible and intangible items such as equipment, software code, data, facilities, personnel, market value and public opinion. Risk management is all about protecting valued organisational assets.

Question 12

Threats

Answer 12

Threats are a malicious act or unexpected event that damages information systems or other related organisational assets. They can be intentional actions that result in the loss or damage to an asset. Threats can also be unintentional like an accident, natural disaster, or equipment failure.

Question 13

Vulnerability

Answer 13

Vulnerabilities are any flaw or weakness that would allow a threat to cause harm and damage an asset. Examples could be fault code, misconfigurations, and failure to follow procedures.

Question 14

Impact

Answer 14

Risk impact is the damage incurred by an event which causes loss of an asset or disruption of service. This damage can be measured quantitatively or qualitatively based on the impact to the organisation’s operations.

Question 15

Countermeasures

Answer 15

Countermeasures are an action, device, or technique that reduces a threat or a vulnerability by eliminating or preventing it. An example would be antivirus software, firewalls, policies, and training.

Question 16

Risk Assessment

Answer 16

Risk assessment is the process of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.

Question 17

What are the stages of the Risk Management Process?

Answer 17

• Frame the Risk
• Assess the Risk
• Respond to the Risk
• Monitor the Risk

Question 18

Frame the Risk

Answer 18

Identify the threats throughout the organization that increase risk. Threats identified include loss or damage of processes and products, attacks, potential failure or disruption of services, harm to the organization’s reputation, legal liability, and loss of intellectual property.

Question 19

Respond to the Risk

Answer 19

Develop an action plan to reduce overall organization risk exposure. Management ranks and prioritizes threats; a team then determines how to respond to each threat. Risk can be eliminated, mitigated, transferred, or accepted.

Question 19

Assess the Risk

Answer 19

Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses. Some threats can bring the entire organization to a standstill while other threats are merely minor inconveniences. Risk can be prioritized by actual financial impact (quantitative analysis) or a scaled impact on the organization’s operation (qualitative analysis).

Question 20

Monitor the Risk

Answer 20

Continuously review risk reductions due to elimination, mitigation and transfer actions.

Not all risks can be eliminated, so threats that are accepted need to be closely monitored. An organisation can use a risk register — a software program or cloud service — to record information about identified risks. The risk register contains details about the risk and the controls implemented or response strategies used.